The processor part of a security module executes a program in low-level language where the commands are formulated according to a structure very close to that of the program instructions. The program requires only to be compiled before being able to be executed. Low-level languages or machine code, are used notably for programming microprocessors executing specific instructions. In a program in high-level language, the commands have a structure closer to natural language, but on the other hand further away from that used by the processor. The commands written in high-level languages must first of all be interpreted, i.e. converted into machine code commands, before then being able to be put in the form of instructions understandable by the processor. Thus any computer program gives rise to a series of instructions adapted to the processor for which it is intended.
Securing a computer program means: detecting malicious attacks seeking to modify the normal behavior of the computer program, and making the execution of a computer program reliable. The method of the present invention as discussed below can in particular detect an attack intended to modify the execution of a computer program executed in a security module. In particular it can detect attacks by interference with the operation of the security module often referred to as fault attacks. Such attacks aim to modify illicitly the content of a register, memory or bus or to oblige a processor not to execute certain instructions of the program. In this case, the attacked computer program may be executed in a very different way from that in which it was designed to be executed. Among others, they may, in known manner, be made by: generating a voltage spike at one of the power supply terminals of the processor, suddenly increasing its temperature, quickly changing its clock frequency or its power supply voltage, applying a flash of light or a laser beam to a portion of the silicon constituting it. According to the state of the art, the person skilled in the art has various ways to combat fault attacks. In particular, most security module components include sensors that detect such attacks. But their efficiency is limited because it is impossible in practice to provide sensors over the whole of the surface of the component. Moreover these sensors are likewise made of silicon, it is possible to interfere with them or to modify the information that they transmit.
Several documents describe solutions for securing a program implemented in a portable carrier such as a smart card or other programmable data processing devices equipped with microprocessors, signal processors, controllers, interfaces and memories.
U.S. Pat. No. 6,006,328 describes a process of including computer code to automatically detect tampering of said computer software, and computer code to prevent the theft of ID-Data by replacing existing vulnerable software or operating system code with secure equivalents which utilize anti-spy techniques. Detecting tampering is achieved with the use of code which is protected from disassembly and examination through obfuscation and encryption, which re-reads its own external-image and compares it with its known memory image or pre-calculated check-data to detect the modification of software sometime after it has been loaded from disk, but before execution of the modified section has commenced. Additionally, the software can scan the memory image of itself one or more times, or continuously, to ensure that unexpected alterations do not occur.
WO2008025900 describes a security processor for a decoder able to receive a scrambled multimedia signal. The processor comprises at least one first rewritable lock whose value can be toggled between a first and a second predetermined value in response to an EMM or ECM message, a restriction function able to authorize and, alternately, prohibit, as a function of the value of the first lock, only one particular operation of the security processor, this particular operation being chosen from the group composed of: the use of a cryptographic key, the processing of a parameter contained in an EMM or ECM message received, and the execution of an elementary conditional access function of the code of the application.
U.S. Pat. No. 6,959,391, describes a method for protecting computer core from external manipulation wherein a check sum is determined from several register contents of the processor by mathematical combination, for example by an exclusive-OR operation, after an instruction has been processed by the processor and stores it in a memory as a final check sum. Before the next instruction is processed by the processor a check sum is formed again, that is, the initial check sum. By comparing the initial check sum with the final check sum, which must match, one can ascertain whether register contents of the processor were manipulated after the last instruction processing.
WO2004/066127 describes a method for making secure execution of a set of at least one instruction in computer program. The method includes a first step of calculating and storing, prior to execution of the computer program, a first signature representing the expected execution of the set of instructions; a second step of calculating and storing, during execution of the set of instructions, a second signature representing the execution of the set of instructions; and a step of detecting an anomaly of execution of the set of instructions by comparing the first and second signatures.
US2005034010 relates to a microcontroller containing a core, memory devices which are connected to the core via a first bus, peripheral units which are connected to the core via a second bus, as well as a monitoring device which is connected to the core. The core reads from the memory devices data representing commands and operands, and carries them out. The monitoring device monitors the correct operation of the core by receiving from the core data depending on the running of the program carried out by the core, compares the received data with previously defined data in response to predetermined events or at predetermined times, and assumes that the core is operating correctly if the compared data items match. If the compared data items do not match, the core takes suitable actions such as generating an interrupt or resetting the microcontroller.
U.S. Pat. No. 7,168,065 describes a method and a device for monitoring the progress in execution of a series of instructions of a computer program, consisting of analyzing the sequence of instructions transmitted to the processor intended to execute the program being monitored and to verify the result of this analysis with reference data recorded with the said program. Thus all the instructions included in the set of instructions under consideration have indeed been transmitted to the processor with a view to their execution. The reference data can for example be a value pre-established so as to correspond to the result of the analysis performed during the monitoring method only if all the instructions in the sequence of instructions have actually been analyzed during the running of the program. The analysis step comprises the sub steps of extracting a data item from each instruction transmitted to the processor and of predetermined calculation on each data item thus extracted, and the verification step includes the comparison of the analysis result with the reference data. The running of the program is interrupted when it is detected that the verification value does not correspond to the reference value. This interruption can be accompanied by an invalidation action for future use of the device comprising the computer program monitored if the non-correspondence between the verification value and the reference value is detected a predetermined number of times.
US2006047955 discloses a system and a method for guarding against unauthorized manipulation or unintentional modification an application program of a multi-application smart card by partitioning the application into a plurality of basic blocks. Each basic block has one entry point and one exit point and comprises a set of data units. A check value associated with a basic block is computed based on a function of the data units of the basic block. The corresponding check value is buffered while the check value is re-computed either during runtime execution of the application program or prior to its execution. A verification is carried out to determine that the re-computed check value and the buffered check value are the same.
WO00/70427 discloses a method and a system for authenticating a program code. A first check sum is computed at the program code, the computed check sum is compared with a second check sum known to be valid. In response to the comparison the program code is proved to be authentic in case the first check sum matches with the second check sum. Further, a predetermined challenge is added to the program code after which the first check sum is computed at the combination of the program code and the challenge. In this way, the applications requiring high security may be certified dependably and variably.
US2007174617 describes a method for updating the firmware of a security module allowing it to “jump” towards a dedicated separate patch message stream thanks to a trigger messages stream broadcasted in a main stream of management messages. The trigger messages comprise version information allowing establishing whether the security module is up-to-date, and an identifier indicating to the security module the suitable patch stream. If the current version of the firmware of the security module is inferior to the patch version, the security module is directed towards the stream of patch messages designated by the identifier included in the trigger messages. Once the update of the firmware is complete, the security module is again directed towards the main stream. This return can be carried out automatically, namely with a switch message comprising an identifier of the first stream.
GB2416956 discloses a method of testing the integrity of operation of at least part of the mobile radio communications device and comprising the steps of transmitting a test sequence generally comprising a hash function to the device, determining and then transmitting the correct result of the test embodied by the test sequence to the device, applying the test sequence to a selected part of the device, and conducting a comparison of the result of the application of the test sequence with the said transmitted correct result so as to identify a potential compromise in the integrity of the said at least one part of the device if the said comparison indicates that the two said results are different.
EP1056012 discloses an apparatus for detecting abnormality in execution state of a control program. An electronic control unit to which the apparatus for detecting abnormality is applied is provided with a CPU, and a memory for storing a set value representing the number of sub-routines to be executed in each of a series of operations of the control program to be repeatedly executed. The CPU includes a control processor for drive-controlling a door lock motor by executing the control program; a counter for counting the number of the sub-routines that have been executed actually in each of the series of the operations; and a detector which compares the set value stored in the memory with a count value of the counter at the last of the series of the operations, detects that the execution state of the control program is abnormal when the two values are different from each other, and then performs reset of the control processor.
In the context of a pay TV system, a plurality of multimedia units connected to a management center of an operator receive and process broadcast data streams according to access rights stored in one or more security modules associated to these units. Multimedia units apply to various kinds of terminals such as personal computers, decoders or set top boxes or mobile equipments.
A security module is a well-known tamper-proof device containing different encryption/decryption keys, information for identifying a user on a network and data defining rights acquired by the user for receiving a content of broadcast services. The security module can have different forms such as a removable contact or contactless smart card inserted in a reader, an integrated circuit welded on a mother board, a card of a SIM (Subscriber Identity Module) type present in the most of mobile equipments.
A multimedia unit includes a hardware and software central module of access control linked to the security module, to a module for demultiplexing the stream, to a decryption module, to applications such as an electronic program guide and to a return channel towards a managing center. The module of access control is in charge of, among other functions, forwarding, towards the security module, control messages ECM and rights management messages EMM extracted from the demultiplexed stream of digital audio video content data. The security module decrypts verifies and processes the control messages ECM according to rights stored and updated by the management messages EMM. The control words, extracted from the control messages ECM after their successful verification, are then transmitted if access is granted to the decryption module in order to generate data in clear ready to be exploited by the user.
At processing of ECM or EMM messages, the program instructions flow executed by the processor of the security module becomes complex due to the multiple branches, tests, jumps, functions calls etc. performed by the program. The methods for protecting a program against tampering of the prior art are expensive in code size to implement and are very difficult to maintain. They have a very limited scope as they cannot take into consideration any event dependant on data in the execution flow, like conditional branches or data dependant loops. Therefore, these methods are used on small blocks of linear code without branches or loops, and cannot take into consideration the value of the data that is processed.
Fault attacks on security modules typically target data, code branches and loops to achieve interesting behaviors. Thus, state of the art methods are not usable to protect data dependant code flow.